1 files changed, 0 insertions, 134 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 38118b1385..8967879f70 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -115,9 +115,6 @@
 #include <stdio.h>
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_KRB5
-#include "kssl_lcl.h"
-#endif
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
@@ -926,9 +923,6 @@ dtls1_send_client_key_exchange(SSL *s)
        unsigned long alg_k;
        unsigned char *q;
        EVP_PKEY *pkey = NULL;
-#ifndef OPENSSL_NO_KRB5
-        KSSL_ERR kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
 #ifndef OPENSSL_NO_ECDH
        EC_KEY *clnt_ecdh = NULL;
        const EC_POINT *srvr_ecpoint = NULL;
@@ -992,134 +986,6 @@ dtls1_send_client_key_exchange(SSL *s)
                        tmp_buf, sizeof tmp_buf);
                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
                }
-#ifndef OPENSSL_NO_KRB5
-                else if (alg_k & SSL_kKRB5) {
-                        krb5_error_code krb5rc;
-                        KSSL_CTX        *kssl_ctx = s->kssl_ctx;
-                        /*  krb5_data   krb5_ap_req;  */
-                        krb5_data       *enc_ticket;
-                        krb5_data       authenticator, *authp = NULL;
-                        EVP_CIPHER_CTX  ciph_ctx;
-                        const EVP_CIPHER *enc = NULL;
-                        unsigned char   iv[EVP_MAX_IV_LENGTH];
-                        unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-                        unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH
-                        + EVP_MAX_IV_LENGTH];
-                        int             padl, outl = sizeof(epms);
-                        EVP_CIPHER_CTX_init(&ciph_ctx);
-#ifdef KSSL_DEBUG
-                        printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                        alg_k, SSL_kKRB5);
-#endif  /* KSSL_DEBUG */
-                        authp = NULL;
-#ifdef KRB5SENDAUTH
-                        if (KRB5SENDAUTH)
-                                authp = &authenticator;
-#endif  /* KRB5SENDAUTH */
-                        krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
-                        &kssl_err);
-                        enc = kssl_map_enc(kssl_ctx->enctype);
-                        if (enc == NULL)
-                                goto err;
-#ifdef KSSL_DEBUG
-                        {
-                                printf("kssl_cget_tkt rtn %d\n", krb5rc);
-                                if (krb5rc && kssl_err.text)
-                                        printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
-                        }
-#endif  /* KSSL_DEBUG */
-                        if (krb5rc) {
-                                ssl3_send_alert(s, SSL3_AL_FATAL,
-                                SSL_AD_HANDSHAKE_FAILURE);
-                                SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
-                                kssl_err.reason);
-                                goto err;
-                        }
-                        /*  20010406 VRS - Earlier versions used KRB5 AP_REQ
-                        **  in place of RFC 2712 KerberosWrapper, as in:
-                        **
-                        **  Send ticket (copy to *p, set n = length)
-                        **  n = krb5_ap_req.length;
-                        **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                        **  if (krb5_ap_req.data)  
-                        **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                        **
-                        **  Now using real RFC 2712 KerberosWrapper
-                        **  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-                        **  Note: 2712 "opaque" types are here replaced
-                        **  with a 2-byte length followed by the value.
-                        **  Example:
-                        **  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-                        **  Where "xx xx" = length bytes.  Shown here with
-                        **  optional authenticator omitted.
-                        */
-                        /*  KerberosWrapper.Ticket              */
-                        s2n(enc_ticket->length, p);
-                        memcpy(p, enc_ticket->data, enc_ticket->length);
-                        p += enc_ticket->length;
-                        n = enc_ticket->length + 2;
-                        /*  KerberosWrapper.Authenticator       */
-                        if (authp && authp->length) {
-                                s2n(authp->length, p);
-                                memcpy(p, authp->data, authp->length);
-                                p += authp->length;
-                                n += authp->length + 2;
-                                free(authp->data);
-                                authp->data = NULL;
-                                authp->length = 0;
-                        } else {
-                                s2n(0, p);/*  null authenticator length */
-                                n += 2;
-                        }
-                        if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0)
-                                goto err;
-                        /*  20010420 VRS.  Tried it this way; failed.
-                        **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-                        **      EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-                        **                              kssl_ctx->length);
-                        **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-                        */
-                        memset(iv, 0, sizeof iv);
-                        /* per RFC 1510 */
-                        EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
-                            kssl_ctx->key, iv);
-                        EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
-                            sizeof tmp_buf);
-                        EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
-                        outl += padl;
-                        if (outl > (int)sizeof epms) {
-                                SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-                                goto err;
-                        }
-                        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-                        /*  KerberosWrapper.EncryptedPreMasterSecret    */
-                        s2n(outl, p);
-                        memcpy(p, epms, outl);
-                        p += outl;
-                        n += outl + 2;
-                        s->session->master_key_length =
-                            s->method->ssl3_enc->generate_master_secret(s,
-                                s->session->master_key,
-                                tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(epms, outl);
-                }
-#endif
 #ifndef OPENSSL_NO_DH
                else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
                        DH *dh_srvr, *dh_clnt;

diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 38118b1385..8967879f70 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c
@@ -115,9 +115,6 @@
115		115
116	#include <stdio.h>	116	#include <stdio.h>
117	#include "ssl_locl.h"	117	#include "ssl_locl.h"
118	#ifndef OPENSSL_NO_KRB5
119	#include "kssl_lcl.h"
120	#endif
121	#include <openssl/buffer.h>	118	#include <openssl/buffer.h>
122	#include <openssl/rand.h>	119	#include <openssl/rand.h>
123	#include <openssl/objects.h>	120	#include <openssl/objects.h>
@@ -926,9 +923,6 @@ dtls1_send_client_key_exchange(SSL *s)
926	unsigned long alg_k;	923	unsigned long alg_k;
927	unsigned char *q;	924	unsigned char *q;
928	EVP_PKEY *pkey = NULL;	925	EVP_PKEY *pkey = NULL;
929	#ifndef OPENSSL_NO_KRB5
930	KSSL_ERR kssl_err;
931	#endif /* OPENSSL_NO_KRB5 */
932	#ifndef OPENSSL_NO_ECDH	926	#ifndef OPENSSL_NO_ECDH
933	EC_KEY *clnt_ecdh = NULL;	927	EC_KEY *clnt_ecdh = NULL;
934	const EC_POINT *srvr_ecpoint = NULL;	928	const EC_POINT *srvr_ecpoint = NULL;
@@ -992,134 +986,6 @@ dtls1_send_client_key_exchange(SSL *s)
992	tmp_buf, sizeof tmp_buf);	986	tmp_buf, sizeof tmp_buf);
993	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);	987	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
994	}	988	}
995	#ifndef OPENSSL_NO_KRB5
996	else if (alg_k & SSL_kKRB5) {
997	krb5_error_code krb5rc;
998	KSSL_CTX *kssl_ctx = s->kssl_ctx;
999	/* krb5_data krb5_ap_req; */
1000	krb5_data *enc_ticket;
1001	krb5_data authenticator, *authp = NULL;
1002	EVP_CIPHER_CTX ciph_ctx;
1003	const EVP_CIPHER *enc = NULL;
1004	unsigned char iv[EVP_MAX_IV_LENGTH];
1005	unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1006	unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
1007	+ EVP_MAX_IV_LENGTH];
1008	int padl, outl = sizeof(epms);
1009
1010	EVP_CIPHER_CTX_init(&ciph_ctx);
1011
1012	#ifdef KSSL_DEBUG
1013	printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
1014	alg_k, SSL_kKRB5);
1015	#endif /* KSSL_DEBUG */
1016
1017	authp = NULL;
1018	#ifdef KRB5SENDAUTH
1019	if (KRB5SENDAUTH)
1020	authp = &authenticator;
1021	#endif /* KRB5SENDAUTH */
1022
1023	krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
1024	&kssl_err);
1025	enc = kssl_map_enc(kssl_ctx->enctype);
1026	if (enc == NULL)
1027	goto err;
1028	#ifdef KSSL_DEBUG
1029	{
1030	printf("kssl_cget_tkt rtn %d\n", krb5rc);
1031	if (krb5rc && kssl_err.text)
1032	printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
1033	}
1034	#endif /* KSSL_DEBUG */
1035
1036	if (krb5rc) {
1037	ssl3_send_alert(s, SSL3_AL_FATAL,
1038	SSL_AD_HANDSHAKE_FAILURE);
1039	SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
1040	kssl_err.reason);
1041	goto err;
1042	}
1043
1044	/* 20010406 VRS - Earlier versions used KRB5 AP_REQ
1045	** in place of RFC 2712 KerberosWrapper, as in:
1046	**
1047	** Send ticket (copy to *p, set n = length)
1048	** n = krb5_ap_req.length;
1049	** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
1050	** if (krb5_ap_req.data)
1051	** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
1052	**
1053	** Now using real RFC 2712 KerberosWrapper
1054	** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
1055	** Note: 2712 "opaque" types are here replaced
1056	** with a 2-byte length followed by the value.
1057	** Example:
1058	** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
1059	** Where "xx xx" = length bytes. Shown here with
1060	** optional authenticator omitted.
1061	*/
1062
1063	/* KerberosWrapper.Ticket */
1064	s2n(enc_ticket->length, p);
1065	memcpy(p, enc_ticket->data, enc_ticket->length);
1066	p += enc_ticket->length;
1067	n = enc_ticket->length + 2;
1068
1069	/* KerberosWrapper.Authenticator */
1070	if (authp && authp->length) {
1071	s2n(authp->length, p);
1072	memcpy(p, authp->data, authp->length);
1073	p += authp->length;
1074	n += authp->length + 2;
1075
1076	free(authp->data);
1077	authp->data = NULL;
1078	authp->length = 0;
1079	} else {
1080	s2n(0, p);/* null authenticator length */
1081	n += 2;
1082	}
1083
1084	if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0)
1085	goto err;
1086
1087	/* 20010420 VRS. Tried it this way; failed.
1088	** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
1089	** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
1090	** kssl_ctx->length);
1091	** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
1092	*/
1093
1094	memset(iv, 0, sizeof iv);
1095	/* per RFC 1510 */
1096	EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
1097	kssl_ctx->key, iv);
1098	EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
1099	sizeof tmp_buf);
1100	EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
1101	outl += padl;
1102	if (outl > (int)sizeof epms) {
1103	SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1104	goto err;
1105	}
1106	EVP_CIPHER_CTX_cleanup(&ciph_ctx);
1107
1108	/* KerberosWrapper.EncryptedPreMasterSecret */
1109	s2n(outl, p);
1110	memcpy(p, epms, outl);
1111	p += outl;
1112	n += outl + 2;
1113
1114	s->session->master_key_length =
1115	s->method->ssl3_enc->generate_master_secret(s,
1116	s->session->master_key,
1117	tmp_buf, sizeof tmp_buf);
1118
1119	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
1120	OPENSSL_cleanse(epms, outl);
1121	}
1122	#endif
1123	#ifndef OPENSSL_NO_DH	989	#ifndef OPENSSL_NO_DH
1124	else if (alg_k & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd)) {	990	else if (alg_k & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd)) {
1125	DH dh_srvr, dh_clnt;	991	DH dh_srvr, dh_clnt;